Google Pay allows customers to make secure payments without manually entering card details. It is supported on Android devices and Chrome browsers, providing a seamless checkout experience. Merchants can integrate Google Pay in an H2H setup, where they transmit payment data directly from Google Pay API responses to Solidgate for processing.

Google Pay tokens contain encrypted card information stored within a customer’s digital wallet and let you securely pass your customers’ data to process payments. The approach to decrypting these tokens depends on whether merchants are PCI DSS-compliant or not. If PCI DSS-compliant, they can handle the token decryption and pass raw card details to Solidgate.

Let Solidgate handle decryption

Solidgate can handle the token decryption if you are not PCI DSS-compliant. Once a payment is initiated, your application or website receives a Google Pay token, which you must include in the Google Pay API payment request.

For this to work, you need:

Payment flow


  1. The customer initiates a payment by clicking the Google Pay button on the checkout page.
  2. The merchant invokes the Google Pay API button, and Google handles the customer authorization.
  3. If authorization is successful and the customer confirms the payment, Google Pay provides the merchant with an encrypted payment token.
  4. The merchant sends the encrypted payment data to Solidgate via the Google Pay API, ensuring the gatewayMerchantId parameter contains the public API key of the channel used for Google Pay button initialization and specifying is_decrypted false or excluding the is_decrypted parameter.
  5. Solidgate decrypts the payment token and processes the transaction securely.

For further information about payment parameters, refer to the Google Pay API method.

Handle decryption on your side

If you are PCI DSS-compliant, you can decrypt Google Pay tokens on your side. For that, it is needed to:

To decrypt Google Pay tokens, take the steps described on the Google developer portal Reference . This involves using a cryptographic key and ensuring that sensitive data is securely processed.

Payment flow


  1. Retrieve the Google root signing keys.
  2. Confirm that the signature of the intermediate signing key is valid using any unexpired root signing key.
  3. Ensure the intermediate signing key for the payload is valid and not expired.
  4. Verify the signature of the payload using the intermediate signing key.
  5. Decrypt the contents of the payload after validating the signature.
  6. Check that the message is not expired by comparing the current time to the messageExpiration field in the decrypted contents.
  7. Send the payment data to Solidgate via the Google Pay API by specifying is_decrypted true .

The use of is_decrypted true implies that the data sent is decrypted and this parameter defines the required fields in the request.

If is_decrypted true , the request must:

  • include the decrypted_data object
  • specify either ECv1 or ECv2 for protocolVersion, which determines parameter validation in decrypted_data
  • specify type auth and:
    • force3ds: true , false , or null if paymentMethod: CARD (ECv1) or authMethod: PAN_ONLY (ECv2)
    • force3ds: false or null if paymentMethod: TOKENIZED_CARD (ECv1) or authMethod: CRYPTOGRAM_3DS (ECv2)
      • highly recommended to provide with paymentMethod: TOKENIZED_CARD the 3dsEciIndicator value for better transaction success rate
  • exclude signature and signedMessage

Example with protocolVersion: ECv1 and paymentMethod: CARD :

{
  "is_decrypted": true,
  "decrypted_data": {
    "gatewayMerchantId": "your-public-api-key",
    "messageExpiration": "1507738377032",
    "messageId": "AH2EjtcHYs1Ye-ZIZuZXd7eNO4QjQfZjBDtP2ti0tob_a5o22lHmGWHsBVYrrSylkFC3ZTsRdvMadQpwOGCIl7XxhTKcfElmgF7UFbcI8CeUZCWRmbTH5s7h69Baqr4FAM735VNThPiP",
    "paymentMethod": "CARD",
    "paymentMethodDetails": {
      "pan": "4895370012003478",
      "expirationMonth": "12",
      "expirationYear": 2028
    }
  },
  "protocolVersion": "ECv1"
}